For many Microsoft admins, their first encounter with the term “hybrid Office 365” is one of confusion.
A lot of questions are bound to surface while trying to wrap your head around the concept of integrating your on-premises Active Directory with Office 365:
- How do I go from pure on-premises to hybrid mode?
- What components are needed to integrate the local AD with Office 365?
- How and where do I manage attributes in Office 365 hybrid mode?
- How is an Exchange Online mailbox matched up with my on-premises users?
Before answering any of these questions, let’s start with a quick overview of hybrid Office 365.
What is Hybrid Office 365?
In a hybrid Office 365, your on-premises Active Directory is linked with your cloud environment hosted in Microsoft Azure.
To understand this whole concept, you should be familiar with the history of Microsoft Exchange:
With the launch of Windows Server 2000 and Active Directory, Microsoft pulled the Active Directory directory service out of the core of Exchange. Instead, the Active Directory service was implemented in the Windows operating system and used as the configuration store for various Windows services – including Exchange (full story available here).
As a consequence, Exchange ended up being tightly integrated with and dependent on Windows Active Directory.
And this is the fundamental reason that for Microsoft to provide cloud-hosted Exchange mailboxes, they need to also deliver a cloud-hosted Active Directory service as part of the package.
The cloud-hosted Active Directory is usually referred to as Azure AD. And if you intend to run a hybrid Office 365 environment, this additional cloud-hosted AD is a mandatory part of the deal!
The Benefits of Hybrid Office 365
So, with an on-premises AD and an Azure AD to support Exchange Online, you now have to manage two separate Active Directories.
If you don’t integrate (make hybrid) these two Active Directories, then each user will have two credentials to manage, and you’ll be supporting twice the number of user accounts. Not ideal!
Setting up a hybrid Office 365 environment will link the on-premises identities and your cloud identities, making management much easier (if the integration is done properly).
Each synchronized on-premises user account is now ‘glued together’ with the corresponding cloud user account, so practically, you have a single object to manage per user.
But pay attention: Some attributes (e.g., the email address) will be managed on the on-premises user object (and synchronized to the cloud user object). Other attributes (e.g., the MFA settings) are managed directly on the cloud user object. Unless you’re using a third-party tool like Easy365Manager, it’s going to take some effort to figure out where to configure what.
Why Not Remove On-Premises Active Directory?
Wouldn’t life be much easier if you removed your on-premises AD entirely?
It certainly would. Unfortunately, for most companies in 2022, this is not an option.
Suppose you have on-premises file servers, third-party application servers, or other services using AD integrated security. In that case, you still need your on-premises AD for local access control and identity management.
There is no doubt that serverless applications hold a great future, but it’s going to take some time for most companies to get there.
Until all of your (essential) on-premises services are migrated to the cloud, hybrid is the way to go.
The Broken Promise of Exchange Online
For many businesses, the initial driver to start the Office 365 journey is to get rid of the on-premises Exchange Server.
Unfortunately, a nasty surprise awaits at the end of the cloud migration.
According to Microsoft, you must continue running Exchange on-premises – even after the migration is completed!
This is bad news to organizations as Exchange on-premises is an expensive piece of equipment.
There are, however, a few workarounds to get rid of your final Exchange Server:
- Easy365Manager allows you to manage Office 365 users and mailboxes directly from your on-premises AD (no need for Exchange on-premises and multiple confusing web consoles).
- Since April 2022, Microsoft has offered a path that requires upgrading to Exchange 2019 (before shutting it down) and using PowerShell scripts (no GUI) in addition to a plethora of web consoles.
If you decide to use Easy365Manager, you can perform all daily tasks from AD user properties – even tasks that can only be performed with PowerShell, like calendar permission management:
Azure AD Connect is a free Windows Service that you can download here.
Before you implement Azure AD Connect, you want to take a closer look at your environment:
- Are users configured with valid emails (proxyAddresses)?
- Are all UPNs configured correctly?
- Have you already implemented cloud-only users and mailboxes that you want to glue together with existing on-premises users?
If you don’t have any experience with performing the hybrid Office 365 integration, you should consider reaching out to a consultant. As this is a one-time only operation, it may not be worthwhile to build internal mastery of all aspects of this operation.
Azure AD Connect is quite flexible, and there are no hard rules as such to the format of your UPNs in the on-premises AD relative to Azure AD.
However, as a golden rule, you should consider configuring your UPNs to match in both environments. Even though it may require a change of existing resources, you’ll benefit long term.
To check on the readiness of your on-premises environment, you should use the IdFix tool. This will help you identify and rectify any issues.
Identify and solve all issues with IdFix before commencing with the implementation of Azure AD Connect.
How to Manage Hybrid Office 365
Unfortunately, the management of hybrid Office 365 is a source of great pain for many admins.
This is mainly caused by two facts:
- You need to continue maintaining an on-premises Exchange Server (costly, time-consuming, and subject to zero-day exploits like Hafnium)
- You need to navigate a large list of various management consoles:
- Active Directory Users & Computers
- Azure AD Connect
- Exchange On-Premises
- Microsoft 365 Admin Center
- Azure Portal
- Exchange Online Admin Center
You can solve both of these problems by implementing Easy365Manager:
Easy365Manager is a tiny but powerful snap-in for AD Users & Computers.
When Easy365Manager is installed, you can perform all your daily Office 365 management directly from user properties in AD Users & Computers.
Easy365Manager eliminates the need for Exchange on-premises and eliminates the need to log in to multiple consoles constantly.
How to Optimize Hybrid Office 365 Management
Let’s look at a standard operation like a user leaving your company. For many organizations, this procedure involves the following steps:
- Disable the AD user account.
- Convert the Office 365 mailbox to a shared mailbox.
- Remove the user from the global address list.
- Set up forwarding of emails to the manager (or replacement user).
- Delegate access to the mailbox to the manager (or replacement user) without Outlook automapping.
- Immediately synchronize changes to Office 365.
- Finally, remove the Exchange Online license.
It is very cumbersome to cover these steps using the standard tools offered by Microsoft. You would need to start and log in to the following admin tools:
- AD Users & Computers
- Exchange Online Admin Center
- Exchange on-premises admin center
- Exchange Online PowerShell
- Azure AD Connect PowerShell
- Microsoft 365 Admin Center
With Easy365Manager, you can perform all of the above steps directly from AD user properties in less than 30 seconds:
It only takes a few minutes to install and configure Easy365Manager.
There are no changes made to your AD or Office 365 configuration.
Easy365Manager is built on a very intuitive interface that any admin can pick up without any introduction.
Easy365Manager is available as a 30-day trial that you can download here.